From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 303c90a4c16cbc4f1453b4b1a8fa4c47449830a7
Date: Sat, 07 Sep 2013 16:11:16 +0200 [thread overview]
Message-ID: <20130907141116.B936420F97@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 16222 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, fifteen has been updated
via 303c90a4c16cbc4f1453b4b1a8fa4c47449830a7 (commit)
via 27ba58fb46cc5c91618d6c5e70d521b0a381afe8 (commit)
via d69bf6191aaae1a92ff7dd6012135b15509bc7b4 (commit)
via 409cd018c51fc4b866b2c8ae78597bc88c3b5c17 (commit)
from 270c0c0ef03de6b912aeee63d117df6fb64a37e4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 303c90a4c16cbc4f1453b4b1a8fa4c47449830a7
Merge: 27ba58f 270c0c0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Sep 7 16:11:10 2013 +0200
Merge branch 'fifteen' of ssh://git.ipfire.org/pub/git/ipfire-2.x into fifteen
commit 27ba58fb46cc5c91618d6c5e70d521b0a381afe8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Sep 7 16:10:02 2013 +0200
wirelessctrl: Silence error messages when no BLUE device is configured.
commit d69bf6191aaae1a92ff7dd6012135b15509bc7b4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Sep 7 15:21:40 2013 +0200
wirelessctrl: Re-indent the code.
commit 409cd018c51fc4b866b2c8ae78597bc88c3b5c17
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Sep 7 15:04:41 2013 +0200
optionsfw: Use saner defaults for DROPPROXY and DROPSAMBA.
-----------------------------------------------------------------------
Summary of changes:
lfs/configroot | 4 +-
src/misc-progs/wirelessctrl.c | 301 ++++++++++++++++++++----------------------
2 files changed, 143 insertions(+), 162 deletions(-)
Difference in files:
diff --git a/lfs/configroot b/lfs/configroot
index d91dbeb..ba6770b 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -122,8 +122,8 @@ $(TARGET) :
echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
- echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings
- echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPSAMBA=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPROXY=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings
diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
index 450aa36..1016613 100644
--- a/src/misc-progs/wirelessctrl.c
+++ b/src/misc-progs/wirelessctrl.c
@@ -5,8 +5,6 @@
*
* (c) Alan Hourihane, 2003
*
- * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $
- *
*/
#include "libsmooth.h"
@@ -25,167 +23,150 @@ FILE *fd = NULL;
char blue_dev[STRING_SIZE] = "";
char command[STRING_SIZE];
-void exithandler(void)
-{
- /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
- if(strlen(blue_dev))
- {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- }
-
- if (fd)
- fclose(fd);
+void exithandler(void) {
+ /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
+ if (strlen(blue_dev) > 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ }
+
+ if (fd)
+ fclose(fd);
}
-int main(void)
-{
- char green_dev[STRING_SIZE] = "";
- char buffer[STRING_SIZE];
- char *index, *ipaddress, *macaddress, *enabled;
- struct keyvalue *kv = NULL;
-
- if (!(initsetuid()))
- exit(1);
-
- /* flush wireless iptables */
- safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
- safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
-
- memset(buffer, 0, STRING_SIZE);
-
- /* Init the keyvalue structure */
- kv=initkeyvalues();
-
- /* Read in the current values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
- {
- fprintf(stderr, "Cannot read ethernet settings\n");
- exit(1);
- }
-
- /* Read in the firewall values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
- {
- fprintf(stderr, "Cannot read optionsfw settings\n");
- exit(1);
- }
-
- /* Get the GREEN interface details */
- if(!findkey(kv, "GREEN_DEV", green_dev))
- {
- fprintf(stderr, "Cannot read GREEN_DEV\n");
- exit(1);
- }
- if (!VALID_DEVICE(green_dev))
- {
- fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
- exit(1);
- }
- /* Get the BLUE interface details */
- if(!findkey(kv, "BLUE_DEV", blue_dev))
- {
- fprintf(stderr, "Cannot read BLUE_DEV\n");
- exit(1);
- }
- if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
- {
- fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
- exit(1);
- }
- if(! strlen(blue_dev) > 0)
- {
- fprintf(stderr, "No BLUE interface\n");
- exit(0);
- }
-
- if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
- return 0;
-
- /* register exit handler to ensure the block rule is always present */
- atexit(exithandler);
-
- if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
- {
- exit(0);
- }
-
- /* restrict blue access tp the proxy port */
- if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off")){
- /* Read the proxy values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer)))
- {
- fprintf(stderr, "Cannot read proxy settings\n");
- exit(1);
- }
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
- safe_system(command);
- }
-
- /* not allow blue to acces a samba server running on local fire*/
- if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- }
-
- while (fgets(buffer, STRING_SIZE, fd))
- {
- buffer[strlen(buffer) - 1] = 0;
-
- index = strtok(buffer, ",");
- ipaddress = strtok(NULL, ",");
- macaddress = strtok(NULL, ",");
- enabled = strtok(NULL, ",");
-
- if (!strncmp(enabled, "on", 2)) {
-
- /* both specified, added security */
- if ((strlen(macaddress) == 17) &&
- (VALID_IP_AND_MASK(ipaddress))) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
- safe_system(command);
- } else {
-
- /* correctly formed mac address is 17 chars */
- if (strlen(macaddress) == 17) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
- safe_system(command);
- }
-
- if (VALID_IP_AND_MASK(ipaddress)) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
- safe_system(command);
- }
- }
- }
+int main(void) {
+ char green_dev[STRING_SIZE] = "";
+ char buffer[STRING_SIZE];
+ char *index, *ipaddress, *macaddress, *enabled;
+ struct keyvalue *kv = NULL;
+
+ if (!(initsetuid()))
+ exit(1);
+
+ /* flush wireless iptables */
+ safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
+ safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
+
+ memset(buffer, 0, STRING_SIZE);
+
+ /* Init the keyvalue structure */
+ kv=initkeyvalues();
+
+ /* Read in the current values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
+ fprintf(stderr, "Cannot read ethernet settings\n");
+ exit(1);
+ }
+
+ /* Read in the firewall values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
+ fprintf(stderr, "Cannot read optionsfw settings\n");
+ exit(1);
+ }
+
+ /* Get the GREEN interface details */
+ if (findkey(kv, "GREEN_DEV", green_dev) > 0) {
+ if (!VALID_DEVICE(green_dev)) {
+ fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
+ exit(1);
+ }
+ }
+
+ /* Get the BLUE interface details */
+ if (findkey(kv, "BLUE_DEV", blue_dev) > 0) {
+ if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) {
+ fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
+ exit(1);
+ }
+ }
+
+ if (strlen(blue_dev) == 0) {
+ exit(0);
+ }
+
+ if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
+ return 0;
+
+ /* register exit handler to ensure the block rule is always present */
+ atexit(exithandler);
+
+ if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) {
+ exit(0);
+ }
+
+ /* restrict blue access tp the proxy port */
+ if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off") == 0) {
+ /* Read the proxy values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) {
+ fprintf(stderr, "Cannot read proxy settings\n");
+ exit(1);
+ }
+
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
+ safe_system(command);
+ }
+
+ /* not allow blue to acces a samba server running on local fire*/
+ if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ }
+
+ while (fgets(buffer, STRING_SIZE, fd)) {
+ buffer[strlen(buffer) - 1] = 0;
+
+ index = strtok(buffer, ",");
+ ipaddress = strtok(NULL, ",");
+ macaddress = strtok(NULL, ",");
+ enabled = strtok(NULL, ",");
+
+ if (strncmp(enabled, "on", 2) != 0) {
+ /* both specified, added security */
+ if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+ } else {
+ /* correctly formed mac address is 17 chars */
+ if (strlen(macaddress) == 17) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
+ safe_system(command);
}
- /* with this rule you can disable the logging of the dropped wireless input packets*/
- if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
+ if (VALID_IP_AND_MASK(ipaddress)) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
+ safe_system(command);
}
- /* with this rule you can disable the logging of the dropped wireless forward packets*/
- if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- }
-
- return 0;
+ }
+ }
+ }
+
+ /* with this rule you can disable the logging of the dropped wireless input packets*/
+ if (!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off") == 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ }
+
+ /* with this rule you can disable the logging of the dropped wireless forward packets*/
+ if (!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off") == 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ }
+
+ return 0;
}
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2013-09-07 14:11 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130907141116.B936420F97@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox